The SWIFT Approach to Payments Security

Posted by Srinivas Pachigolla on 27 Feb 2019

Ensuring the security of Alacriti’s payments environment is an ongoing process that demands collaboration and cooperation across the entire organization. Our role in facilitating electronic bill payments means we are subject to the strenuous requirements set forth by HIPAA, HiTech, and PCI DSS compliance. As more threats and bad actors emerge, we too must evolve to provide a safe electronic solution that our clients and end users can trust.

Our security discipline also demands that we stay aware of and communicate other security approaches to our community. A recent development is SWIFT’s Customer Security Programme (CSP), which is yet another way to help protect the health of the financial system and the counterparties within it.

Here’s an introduction to SWIFT, its CSP, and information on its Customer Security Controls Framework, which lays the foundation of the program.

What is SWIFT?

SWIFT is an acronym for the Society for the Worldwide Interbank Financial Telecommunication. SWIFT provides a platform for standard messaging and communication that connects to over 11,000 banking and securities organizations, market infrastructures, and corporate customers across the globe. The platform supports money movement worldwide by facilitating secure, standardized financial messages between organizations.

What is SWIFT’s Customer Security Programme (CSP)?

SWIFT developed its CSP to help thwart cyberattacks and the negative consequences they can have on businesses, consumers, and organizations around the world. The global ubiquity of SWIFT’s platform makes it a natural place to implement security protocol to help organizations better protect their transactions from fraud. The CSP is built around three core steps:

  1. Organizations should understand SWIFT’s Customer Security Controls Framework
  2. Organizations should close any gaps they identify against the controls
  3. Organizations should self-attest their level of compliance

In 2017, SWIFT introduced CSP in self-attestation mode which allowed participants to familiarize themselves with the goals, framework, lifecycle steps, and threat mitigation principles of the program. In 2018, SWIFT allowed participants to build on their experience and improve their security posture with additional mandatory controls.

What is the Customer Security Controls Framework (CSCF) v2019?

The CSCF v2019 provides additional guidance and clarification on the previous implementation guidelines announced with the CSP. It includes changes to the existing controls and promotes three existing advisory controls to mandatory controls, while adding two new advisory controls.

Mandatory controls include restricting internet access, segregating critical systems, preventing compromise of credentials, and detecting anomalies. Read the full framework here.

Image Source:

How does SWIFT’s CSP help an organization’s overall security?

When a participating organization attests their level of compliance, that attestation can then be shared easily, in a standard manner, with counterparties. This streamlined communication can help mitigate risk and let organizations decide if certain counterparties they’re dealing with require additional controls.

How does SWIFT’s CSP help with payments?

SWIFT’s CSP also has a Payment Controls service that sends alerts for suspicious or out-of-policy messages. The Payment Controls leverage real-time payments monitoring, behavioral patterns, and independent daily reporting to help mitigate the risk of fraud.

The Bottom Line: The CSP helps SWIFT customers secure their own environments, detect fraud among their counterparties, and share information that can protect against future threats. This approach promotes both individual responsibility and shared responsibility by improving information sharing throughout the community.

Stay connected. Get the latest delivered to your inbox.
Srinivas Pachigolla Sr. Manager, Operations & GRC Srinivas has extensive professional experience in information security, risk, and governance. He is a member of Alacriti's GRC Team that maintains compliance with PCI DSS, HIPAA/HiTECH, SOC (SSAE18), FFIEC, NIST, and other applicable regulations and standards. Srinivas manages a team of risk and security specialists that perform functions including risk identification, assessment, and treatment.

Related Articles